Communities

IET Communities provide like-minded people with opportunities to share ideas, collaborate, learn and network. With more than 100 Local and Technical Networks around the world, you can feel confident of finding a community that suits your interests.

Originally posted by: ectophileSo far as I can tell, it does use https. However, it's all hidden - there doesn't appear to be a separate https login page.

As far as I can see I can login unsecured then click on 'My IET' button which takes me to a secured (https) page.

This is pretty much useless as anyone (on the network) could capture my unsecured login password and have full access to do havock on the forums (not that I'm entirely innocent on that score ) and view details about me and change things as they please.

When I enter my username and password in the white boxes, which are echoed back to me (though password is in dotted fortmat) the page is still in non-secured http mode. Therefore anyone can potentially capture my login details as I enter them.

It's only when I hit the green 'Login' button that I am then taken to a secured https page. But by then it's to late as far as security is concerned.

We should be taken to a secured https page after hitting the green Login button. Then allowed to enter our details to be authenticated. That's how the Banks do it.

You can enter your username and password on almost any page. That page has already been delivered to your PC (as you say, under HTTP), so that you can view it. When you key your password, you're just putting it into your local PC.

When you then submit the form with your username and password, you do so to this page: https://logon.theiet.org/login.cfm

That's under HTTPS, so your login is protected. That's not to say that there are no benefits to having the username/password form under HTTPS, so we are looking at it as part of the normal process of review that I have mentioned.

Levels of security need to be appropriate to the context. Bank-level security comes at a cost to the provider and to the user - for the latter, it's in the form of the inconvenience of one-time passwords or other additional security measures, that would not be used on most Web sites.

On the other hand, the IET is very aware that it holds members' personal data and conducts financial transactions, and must take measures accordingly.

Hope this helps.

Regards

-------------------------
David RossallThe Institution of Engineering and Technology